No one likes to think of anything going wrong with your business data, but when it comes to the GDPR and the hefty fines the regulator has permission to hand out, it makes sense to know what to do in the event of a personal data breach occurring.
What is a personal data breach?
It’s defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Breaches will be categorised according to three principles:
- Confidentiality - Unauthorised or accidental disclosure of, or access to, personal data.
- Integrity - Unauthorised or accidental alteration of personal data.
- Availability - Unauthorised or accidental loss of access to, or destruction of, personal data. For example, deletion of data accidentally or by an unauthorised person, a lost decryption key in the case of encrypted data, or unavailability due to a loss of connectivity that results from power failure, a catastrophic IT incident, or a service attack from malware or ransomware.
It’s worth saying an availability breach may need to be noted, even if data is only temporarily lost or unavailable. A breach at this level will only need to be brought to the supervisory authority’s attention if it’s likely to result in a risk to the rights of individuals.
When should a breach be raised?
If the breach of personal data is deemed to pose a risk to the rights and freedoms of an individual or individuals, there’s an obligation on the part of the business to bring it to the supervisory authority’s attention as soon as possible.
The GDPR recitals explain that such risks exist when the breach could lead to physical, material or non-material damage for data subjects, such as:
- Discrimination
- Identity theft or fraud
- Financial loss or
- Reputational damage
Assessing the risk
Assessing the risk requires ‘objective consideration of the likelihood and severity of risk to rights’. That means looking at:
- The type of breach
- The nature, sensitivity and volume of data in question
- How easy it is to personally identify an individual
- The severity of consequences for the individual
- The special characteristics of the individual, for example a breach affecting vulnerable individuals that could place them at a greater risk of harm
- The number of affected individuals
- The special characteristics of the data controller (there’s a greater threat if, for example, a medical organisation which processes sensitive data is breached).
Who do you need to notify?
If a breach affects individuals in more than one member state of the EU, the controller must notify its lead supervisory authority.
It can also report an incident to a supervisory authority in a member state where individuals are known to be affected. Right now, this appears to be optional rather than mandatory, but if the controller decides not to, it should advise the lead supervisory authority which member states data subjects are likely to have been affected in.
How long do you have to notify authorities?
The data controller must report a personal data breach to a supervisory authority no later than 72 hours after they have become aware of the issue.
When does the clock start ticking?
The 72 hours begin once the data controller has a ‘reasonable degree of certainty’ that a security incident has occurred and has caused personal data to be compromised.
What’s a reasonable degree of certainty?
When the controller is presented with clear evidence. For example, if an unencrypted CD containing personal data was lost, the controller would be aware and ‘certain’ as soon as they were advised it had gone missing. In this instance, they’d be required to notify the relevant authorities immediately.
It won’t always be as black and white as that, however, and where it takes time to establish certainty, the guidelines allow for a short period of investigation before notification. For instance, malware may result in data being extracted slowly and over a long period of time without being noticed until a routine check has been performed. Similarly, data leakage can occur but may not be noticed until an audit of the IT system’s functionality highlights it.
As a rule, investigation should be prompt and the immediate aims should always be to:
- Determine certainty and
- Possible consequences for individuals
A more detailed investigation can take place after notification.
What must the notification contain?
As the very least, notification must include:
- The nature of the breach
- The categories affected
- The personal data records concerned
- Approximate number of data subjects
- The likely consequences of the breach, and
- The measures taken or proposed by the data controller
In some circumstances, where it’s clear there has been a breach, but the controller hasn’t gathered all the required information, notification will be accepted in phases. Delayed notifications will also be deemed acceptable in exceptional circumstances.
Phased and delayed notifications still require the controller to explain the potential scope, cause and plan to deal with the breach, as best they can.
Do I need to notify the data subjects?
Not always. Data subjects only need to be notified if the breach is considered to pose a high risk to their rights and freedoms. For example, if a breach occurs and appropriate measures have been taken to mitigate the risk or the effort to contact individuals is disproportionate, notification may not be required.
It’s worth saying however, that if the controller plans to rely on one of the exceptions, they must also be able to demonstrate how it applies.
If notification is required, individuals should be contacted ‘without undue delay’, so as soon as possible essentially, with a dedicated message (not buried in something else) and the issue should be communicated in plain English, so there’s no room for ambiguity.
It should also include a description of the breach, likely consequences, contact details and measures currently underway or planned to redress any risk.
What records do you need to keep?
Controllers are required to keep records of all personal data breaches, whether the relevant authority has been notified or not.
Records must include details of the breach, the effects and consequences, and any remedial action taken. The Working Party also suggests recording the rationale around decisions taken following an incident, particularly if you decide not to report it.
As you can see, there are a lot of ‘may’ and ‘could’ scenarios here, because we don’t yet know how exactly the GDPR will play out and how stringently it will be applied, but it is best to ensure your organisation is completely covered up-front, rather than wait and see what you can get away with. It is therefore wise to seek the help of a certified GDPR expert who can consult with you on the steps you need to take to be compliant.
How can a GDPR consultant help me prepare?
- Employee training: Your employees are the first line of defence when it comes to anything IT-related, as their actions (or lack of action) can make any issue infinitely better or worse. New business obligations and processes must be communicated, explained and demonstrated as part of the new ways of working across your business if employees are to help you meet the GDPR requirements. Your GDPR consultant can help put those processes in place or run staff training sessions around the new regulations and how they will impact employees day-to-day.
- Smarter security: Assessing your IT security and helping to make your systems work harder, allowing you to detect and respond to any breach (and better yet, prevent them). Smart automated systems, for example, can put in place measures that analyse data flow and report irregularities such as unusual access requests, file deletion or alterations. In other words, flagging issues before they become something too big to manage in-house.
- Response planning: Working with your data controller to create, test and distribute a clear response plan that includes timescales and contact details, and assigns clear responsibilities. The ability to react quickly and efficiently will prove invaluable should anything go wrong.
- Accountability: Ensuring record keeping becomes a key part of your ‘business as usual’ operation, without it swallowing up too much time, effort or network space. Rationale and accountability come across strong in the new regulation, and the more you can prove, the better placed you’ll be if you ever need to justify a decision or a course of action rolled out.
- Software stress testing: Stress testing your IT security to identify where improvements are necessary to keep you GPDR-compliant, recommending the best software, hardware and IT infrastructure to keep you profitable and safe. Encryption is just one tool that could add an additional layer of protection to your business and even save you from having to report a breach, if the information lost is also rendered useless.
- Service contracts: If you don’t have them already, a good consulting service should also be able to make service provider contracts a priority. Control and awareness go hand-in-hand when it comes to breaches, so it’s imperative that processor contracts include immediate notification of any data management issues, in order for data controllers to meet their GDPR obligations and start the process with the most appropriate authority.
We have already worked with companies of every size across the UK to help them understand the magnitude of GDPR and ensure their businesses are fighting fit come May 2018 with the right IT support.
There’s no doubt, the organisations that have prepared are sure to reap the rewards when the new laws come into effect, and businesses who’ve buried their heads in the sand and hoped for the best, reluctantly press pause and play catch up.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing what you have and what you need to do to avoid the risk of regulatory fines.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist:
